New security capabilities in Operations Management Suite

Microsoft Operations Management Suite (OMS) Log Analytics offers you the ability to derive deep and actionable insights across your IT environment, from the on-premises datacenter to the cloud. As part of Log Analytics, the Security and Audit solution gives you a holistic, data-driven approach to security.

Today we are announcing that we are increasing the value of Security and Audit solution by improving its user experience, extending its coverage and introducing new capabilities. Some of these changes are available today, while others will gradually roll out over the coming weeks. Today this benefit is available as part of public preview of OMS Log Analytics.

We see this as the beginning of a journey to provide a comprehensive hybrid Security and Audit solution that will span across any platform in any cloud. We will add capabilities over time and will harmonize this solution with other Microsoft security offerings. We are excited about getting your feedback and learning more about how you are using these new capabilities. Feel free to contact us anytime: omssecfeedback@microsoft.com.

Check out the details of these new additions below:

New dashboard

The entry point to the new Security and Audit solution is an expanded and updated dashboard. This dashboard is the home screen for everything related to security in OMS, designed to provide high-level insight into the security state of your servers. Key features include the ability to view all events from the past 24 hours, seven days or any other custom time frame. It can be accessed from the web or via OMS mobile apps.

The dashboard includes three parts:

Security Domains dashboards

Security has many different domains, and each one has its own specifics and particular data sources. In this release, we introduce several new and updated domain dashboards:

Identity and Access: Presents security information relating to authentication and access control events

Networking: Highlights the security aspects of networking data based on information collected by the OMS WireData solution

Azure Security Center: Links to Azure Security Center, which provides enhanced security protection and detection for resources located in Azure

Malware Assessment: Links to the malware assessment solution that presents the status of the antimalware software on the different servers. In the future, the antimalware solution will be integrated into the Security and Audit solution and appear as another domain dashboard. More details on antimalware below.

Update Assessment: Links to the system update assessment solution

Notable issues

The notable issues area has a new look and feel as well as enhanced content. You will see that notable issues are now prioritized and sorted according to their importance. There are also several new monitored issues such as clear password logon and guest account activities. To help cope with data overload, this list includes most of the counters that were previously presented as tiles. We plan to add more issues to this list based on the growing number of data types that are collected by OMS.

Threat intelligence

Microsoft runs the biggest cloud services in the world, enabling us to achieve a unique view of the threat landscape. The insights we derive, informed by trillions of signals from billions of sources, create an intelligent security graph that we use to inform how we protect all endpoints, better detect attacks and accelerate our response. We know, for example, where attacks came from and able to identify malicious IP addresses. Our goal is to enable our customers to benefit from this knowledge to protect their resources.

The new threat intelligence section of the Security and Audit solution visualizes the possible attack patterns in several ways: the total number of servers with outbound malicious IP traffic, the malicious threat type and a map that shows where these IPs are coming from. You can interact with the map and click on the IPs for more information.

Yellow pushpins on the map indicate incoming traffic from malicious IPs. It is not uncommon for servers that are exposed to the internet to see incoming malicious traffic, but we recommend reviewing these attempts to make sure none of them was successful. These indicators are based on IIS logs, WireData and Windows Firewall logs.

Red pushpins on the map indicate outbound traffic from your servers to malicious IP addresses. This is less common and should be carefully examined. It means that someone or something on your servers is contacting suspicious destinations on the internet. This might be the result of a compromised machine communicating to a command and control center or exfiltration of data. Outbound traffic data is based on Windows Firewall and WireData logs.

Antimalware assessment

One of the most important tools to defend your systems is antimalware software. Building upon existing antimalware capabilities in OMS, the antimalware solution has been extended to enable:

Full coverage for Microsoft antimalware engines

The revised antimalware solution will have new detection capabilities and will be able to interrogate all Microsoft antimalware solutions such as System Center Endpoint Protection and Windows Defender. The solution will use their APIs to verify installation and interrogate the threat status.

Detect more antimalware engines via Windows Security Center

The new solution will also be able to detect all types of antimalware software using the Windows Security Center APIs. This covers most antimalware software that is running on Windows clients and Windows Servers that enabled their desktop experience. Datacenter and Standard editions of Windows Server 2016 will have Windows Security Center enabled by default. Using this mechanism, the solution will be able to detect the protection status of every antimalware that register its existence using this API which is the common practice by most antimalware vendors.

We will continue to invest in improving the antimalware solution and extending its coverage. We will add detection and status collection using more techniques for all commonly used antimalware vendors.

Going forward, the antimalware assessment solution will be folded into the Security and Audit solution and it will not be required to add both of them to workspaces.

The road ahead

This release is just the first step in our journey to provide a comprehensive hybrid Security and Audit solution for OMS customers. We are interested in hearing your feedback and suggestions. Our team is already working hard on several areas:

Harmonization with other Microsoft security offerings

Microsoft looks at security as a major focus area and strives to help our customers across all aspects of security. Microsoft has several security products to protect different types of workloads such as Azure Security Center, Advanced Threat Analytics and Office Advanced Threat Protection. We are working to bring these products closer together and increase their synergy.

Linux

Our team continues to work hard to ensure that Linux is a first class citizen in OMS. The existing OMS Linux agent already collects multiple types of authentication and authorization information. We will add this information to the existing dashboards and will extend the agent collection capabilities to cover more scenarios.

Third-party security solutions

There are many security vendors in the market and we want customers to be able to integrate them with their investments in OMS. We will continue to collaborate with vendors to extend our coverage, increasing our interoperability with other security products on all security domains.

Additional domain dashboards

The two new domain dashboard are just the first step in providing comprehensive visibility to all aspects of security. We plan to enhance the network and identity dashboards with further data and visualizations. At the same time will add more dashboards from different domains.

Additional malicious IP and geo-tagging

We will extend our malicious IP detection and geo-tagging to cover additional types of records, providing additional indicators of malicious or suspicious activities.